Oracle Advanced Security Administrator's Guide
Release 8.1.6
A76932-01
Library
Product
Index
Contents
Title and Copyright Information
Send Us Your Comments
Preface
Part I Oracle Advanced Security Features
1 Introduction to Oracle Advanced Security
About Oracle Advanced Security
Network Security in a Distributed Environment
Security Threats
Oracle Advanced Security Features
Data Privacy
Data Integrity
Authentication
Single Sign-On
Authorization
Oracle Advanced Security Architecture
Secure Data Transfer Across Network Protocol Boundaries
System Requirements
Oracle Configuration for Network Authentication
Setting the SQLNET.AUTHENTICATION_SERVICES Parameter in sqlnet.ora
Verifying that REMOTE_OS_AUTHENT Is Not Set to TRUE
Setting OS_AUTHENT_PREFIX to a Null Value
Oracle Advanced Security Restrictions
2 Configuring Data Encryption and Integrity
Oracle Advanced Security Encryption
Domestic and Export Editions
DES Algorithm for Standards-Based Encryption
DES40 Algorithm for Backwards Compatibility
RSA RC4 Algorithm for High Speed Encryption
RC4_128 for Domestic Customers
RC4_40 and RC4_56 for International Customers
Triple-DES Support in SSL
Oracle Advanced Security Data Integrity
Types of Attacks
Data Integrity Algorithms Supported
Diffie-Hellman-Based Key Management
Overview of Site-Specific Diffie-Hellman Encryption Enhancement
Overview of Authentication Key Fold-in Encryption Enhancement
Configuring Data Encryption and Integrity
Activating Encryption and Integrity
Negotiating Encryption and Integrity
Setting Encryption and Integrity Parameters Using Net8 Assistant
3 Thin JBDC Support
About the Java Implementation
JDBC Support
Securing Thin JDBC
Implementation Overview
Obfuscation
Configuration Parameters
4 Configuring RADIUS Authentication
RADIUS Overview
RADIUS Authentication Modes
Synchronous Authentication Mode
Challenge-Response (Asynchronous) Authentication Mode
Enabling RADIUS Authentication and Accounting
Task 1: Install RADIUS on the Oracle Server and on the Oracle Client
Task 2: Configure RADIUS Authentication
Task 3: Add the RADIUS Client Name to the RADIUS Server Database
Task 4: Create a User and Grant Access
Task 5: Configure RADIUS Accounting
Task 6: Configure the Authentication Server for Use with RADIUS
Task 7: Configure the RADIUS Server for Use with the Authentication Server
Task 8: Create and Grant Roles
Logging on to the Database
5 Configuring CyberSafe Authentication
Enabling CyberSafe Authentication
Task 1: Install the CyberSafe Server
Task 2: Install the CyberSafe TrustBroker Client
Task 3: Install the CyberSafe Application Security Toolkit
Task 4: Configure a Service Principal for an Oracle Server
Task 5: Extract the Service Table from CyberSafe
Task 6: Install an Oracle Server
Task 7: Install Oracle Advanced Security With CyberSafe
Task 8: Configure Net8 and Oracle on the Server and Client
Task 9: Configure CyberSafe Authentication
Task 10: Create a CyberSafe User on the Authentication Server
Task 11: Create an Externally Authenticated Oracle User on the Oracle Server
Task 12: Get the Initial Ticket for the CyberSafe/Oracle User
Task 13: Connect to an Oracle Server Authenticated by CyberSafe
Troubleshooting the Configuration of the CyberSafe Authentication Adapter
6 Configuring Kerberos Authentication
Enabling Kerberos Authentication
Task 1: Install Kerberos
Task 2: Configure a Service Principal for an Oracle Server
Task 3: Extract a Service Table from Kerberos
Task 4: Install an Oracle Server and an Oracle Client
Task 5: Install Net8 and Oracle Advanced Security
Task 6: Configure Net8 and Oracle
Task 7: Configure Kerberos Authentication
Task 8: Create a Kerberos User
Task 9: Create an Externally-Authenticated Oracle User
Task 10: Get an Initial Ticket for the Kerberos/Oracle User
Utilities for the Kerberos Authentication Adapter
Use okinit to Obtain the Initial Ticket
Use oklist to Display Credentials
Use okdstry to Remove Credentials from Cache File
Connecting to an Oracle Server Authenticated by Kerberos
Troubleshooting the Configuration of Kerberos Authentication
7 Configuring SecurID Authentication
System Requirements
Known Limitations
Enabling SecurID Authentication
Task 1: Register Oracle as a SecurID Client
Task 2: Install Oracle Advanced Security
Task 3: Ensure that Oracle Can Find the Correct UDP Port
Task 4: Configure Oracle as a SecurID Client
Task 5: Configure SecurID Authentication
Creating Users for SecurID Authentication
Task 1: Assign a Card Using Security Dynamics sdadmin Program
Task 2: Create an Oracle Server Account for the User
Task 3: Grant the User Database Privileges
Using SecurID Authentication
Logging On to the Oracle Server
Assigning a New PIN to a SecurID Card
Logging on When the SecurID Card is in "Next Code" Mode
Troubleshooting the Configuration of SecurID Authentication
8 Configuring Identix Biometric Authentication
Overview
Architecture of the Biometric Authentication Service
Administration Architecture
Authentication Architecture
Prerequisites
Installing the TouchSafe II Encrypt Device Driver for Windows NT
Biometric Manager PC
Client PC
Database Server
Biometric Authentication Service
Enabling Biometric Authentication
Task 1: Configure the Database Server that is to become the Authentication Server
Task 2: Configure Identix Authentication
Task 3: Establish a Net Service Name for the Fingerprint Repository Server
Task 4: Verify that the Address of the Database Server is Accessible to the Client
Task 5: Configure the Biometric Manager PC
Administering the Biometric Authentication Service
Create a Hashkey on Each of the Clients:
Authenticating Users with a Biometric Authentication Service
Troubleshooting
9 Configuring DCE GSSAPI Authentication
Configuring DCE GSSAPI Authentication
Task 1: Create the DCE Principal
Task 2: Configure the New DCE Principal and Enable DCE GSSAPI Authentication
Task 3: Set up the Account for Authenticating to the Database
Task 4: Connect to an Oracle Server using DCE GSSAPI Authentication
10 Configuring Secure Socket Layer Authentication
SSL In an Oracle Environment
What You Can Do with SSL
Architecture of SSL in an Oracle Environment
Components of SSL in an Oracle Environment
How SSL Works in an Oracle Environment: The SSL Handshake
SSL Beyond an Oracle Environment
SSL Combined with Other Authentication Methods
Architecture of SSL Combined with Other Authentication Methods
Using SSL Combined with Other Oracle Authentication Methods
Issues When Using SSL
Enabling SSL
Task 1: Install Oracle Advanced Security and Related Products
Task 2: Configure SSL on the Client
Task 3: Configure SSL on the Server
Task 4: Log on to the Database
11 Choosing and Combining Authentication Methods
Connecting with User Name and Password
Disabling Oracle Advanced Security Authentication
Configuring Oracle For Multiple Authentication Methods
Part II Oracle DCE Integration
12 Overview of Oracle DCE Integration
System Requirements
Backward Compatibility
Overview of Distributed Computing Environment (DCE)
Overview of Oracle DCE Integration
Components of Oracle DCE Integration
Flexible DCE Deployment
Release Limitations
13 Configuring DCE for Oracle DCE Integration
Task 1: Create New Principals and Accounts
Task 2: Install the Key of the Server into a Keytab File
Task 3: Configure DCE CDS for Use by Oracle DCE Integration
Give Servers Permission to Create Objects in the CDS Namespace
Load Oracle Service Names into CDS
14 Configuring Oracle for Oracle DCE Integration
DCE Address Parameters
Configuring the Server
Creating and Naming Externally-Authenticated Accounts
Setting up DCE Integration External Roles
Connecting to an Oracle Database as SYSDBA or SYSOPER Using DCE
Configuring the Client
Parameters in protocol.ora
Configuring Clients to Use DCE CDS Naming
Enable CDS for use in Performing Name Lookup
Modify the CDS Attributes File and Restart the CDS
Create a tnsnames.ora File for Loading Oracle Connect Descriptors into CDS
Load Oracle Connect Descriptors into CDS
Delete or Rename the tnsnames.ora File
Modify the sqlnet.ora File to Resolve Names in CDS
Connect to Oracle Servers in DCE
15 Connecting to an Oracle Database in DCE
Starting the Listener
Connecting to an Oracle Database Server in the DCE Environment
Method 1
Method 2
16 DCE and Non-DCE Interoperability
Connecting Clients Outside DCE to Oracle Servers in DCE
Sample Parameter Files
The listener.ora File
The tnsnames.ora File
Using tnsnames.ora for Name Lookup When CDS Is Inaccessible
SQL*Net Release 2.2 and Earlier
SQL*Net Release 2.3 and Net8
Part III Oracle8i Security/Directory Integration
17 Managing Enterprise User Security
Overview of Enterprise User Security
About Directories
Elements of Enterprise User Security Management
Architecture of Enterprise User Security Management
How Enterprise User Security Management Works
User/Schema Separation
Setting Up User/Schema Separation
User/Schema Separation Functionality and SSL
Creating a Shared Schema
Creating an Enterprise User in the Directory
Mapping an Enterprise User to a Shared Schema
Summary
Current User Database Links
Oracle Enterprise User Security Components
Oracle Wallet Manager
Oracle Enterprise Login Assistant
Oracle Enterprise Security Manager
Oracle Internet Directory
Installing and Configuring Enterprise User Security
Task 1: Install or Identify a Certificate Service
Task 2: Install and Configure a Directory Service
Task 3: Install and Configure One or More Databases
Task 4: Configure Database Clients
Task 5: Install and Configure Oracle Enterprise Security Manager
Task 6: Create and Configure Enterprise Users
Task 7: Log In as the Enterprise User
Troubleshooting Enterprise User Login
18 Using Oracle Wallet Manager
Overview
Security Concepts
Using Oracle Wallet Manager with Oracle Application Server
Starting Oracle Wallet Manager
Managing Wallets
Creating a New Wallet
Opening an Existing Wallet
Closing a Wallet
Saving Changes
Saving the Open Wallet to a New Location
Saving in System Default
Deleting the Wallet
Changing the Password
Using Auto Login
Managing Certificates
Managing User Certificates
Managing Trusted Certificates
19 Oracle Enterprise Login Assistant
About Oracle Enterprise Login Assistant
Starting Oracle Enterprise Login Assistant
Enabling Automatic Login
Disabling Automatic Login
Changing a Wallet Password
20 Using Oracle Enterprise Security Manager
Introduction
Installing and Configuring Oracle Enterprise Security Manager
Task 1: Install Oracle Enterprise Security Manager
Task 2: Configure Oracle Enterprise Security Manager
Task 3: Start Oracle Enterprise Security Manager
Task 4: Log Into the Directory
Navigating Oracle Enterprise Security Manager
Changing a Search Base
Browsing the Directory
Administering Enterprise Databases, Domains, and Users
Administering Databases
Administering Enterprise Domains
Administering Enterprise Users
Managing Security Administrators
Part IV Appendixes
A Data Encryption and Integrity Parameters
Sample sqlnet.ora File
Data Encryption and Integrity Parameters
Server Encryption Level Setting
Client Encryption Level Setting
Server Encryption Selected List
Client Encryption Selected List
Server Integrity Level Setting
Client Integrity Level Setting
Server Integrity Selected List
Client Integrity Selected List
Client Profile Encryption
B Authentication Parameters
Parameters for Clients and Servers using CyberSafe Authentication
Parameters for Clients and Servers using Identix Authentication
sqlnet.ora File Parameters
Recommended Minimum Sets of Identix Parameters
Parameters for Clients and Servers using Kerberos Authentication
Parameters for Clients and Servers using SecurID Authentication
Parameters for Clients and Servers using RADIUS Authentication
sqlnet.ora File Parameters
Recommended Minimum Sets of RADIUS Parameters
Initialization File Parameters
Parameters for Clients and Servers using SSL
Authentication Parameters
Cipher Suites
SSL Version
SSL Client Authentication
Wallet Location
C Integrating Authentication Devices Using RADIUS
About the RADIUS Challenge-Response User Interface
Customizing the RADIUS Challenge-Response User Interface
D Oracle Advanced Security FIPS 140-1 Settings
Configuration Parameters
Server Encryption Level Setting
Client Encryption Level Setting
Server Encryption Selection List
Client Encryption Selection List
Cryptographic Seed Value
FIPS Parameter
Post Installation Checks
Status Information
E LDAP Directory Schema for Oracle Database Security
Structural Object Classes
Attributes
Access Controls
F Oracle Implementation of Java SSL
Oracle Java SSL Features
SSL Cipher Suite Supported in Oracle Java SSL
Certificate and Key Management with Oracle Wallet Manager
Oracle Java SSL Examples
Prerequisites
SecureHelloServer Program
SecureHelloClient Program
Firewall Tunnelling Program Using the SSL Socket
Class Hierarchy for Extensions to the Java SSL Package
Interface Hierarchy
oracle.security.ssl
oracle.security.cert
Glossary
Index
Copyright © 1999 Oracle Corporation.
All Rights Reserved.
Library
Product
Index